From a91c3f1dd0ab28707e74ca5f1416a5712e71c0f7 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:10:13 +0300 Subject: [PATCH 1/8] Add CVE to bug #71912 (PHP 5.6.21) --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index e54e83aa20b..f20e0021a8c 100644 --- a/NEWS +++ b/NEWS @@ -25,7 +25,7 @@ PHP NEWS - GD: . Fixed bug #71952 (Corruption inside imageaffinematrixget). (Stas) - . Fixed bug #71912 (libgd: signedness vulnerability). (Stas) + . Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074) (Stas) - Intl: . Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative From b8b2dd1a4338abe4c19a9b13af2a4f94ba4e5b63 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:11:54 +0300 Subject: [PATCH 2/8] Add CVE IDs PHP 5.6.20 --- NEWS | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index f20e0021a8c..799ac79547d 100644 --- a/NEWS +++ b/NEWS @@ -80,17 +80,17 @@ PHP NEWS - Fileinfo: . Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic - file). (Anatol) + file). (CVE-2015-8865) (Anatol) - Mbstring: . Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in - mbfl_strcut). (Stas) + mbfl_strcut). (CVE-2016-4073) (Stas) - ODBC: . Fixed bug #47803, #69526 (Executing prepared statements is succesfull only for the first two statements). (einavitamar at gmail dot com, Anatol) . Fixed bug #71860 (Invalid memory write in phar on filename with \0 in - name). (Stas) + name). (CVE-2016-4072) (Stas) - PDO_DBlib: . Fixed bug #54648 (PDO::MSSQL forces format of datetime fields). @@ -103,11 +103,11 @@ PHP NEWS - SNMP: . Fixed bug #71704 (php_snmp_error() Format String Vulnerability). - (andrew at jmpesp dot org) + (CVE-2016-4071) (andrew at jmpesp dot org) - Standard: . Fixed bug #71798 (Integer Overflow in php_raw_url_encode). - (taoguangchen at icloud dot com, Stas) + (CVE-2016-4070) (taoguangchen at icloud dot com, Stas) 03 Mar 2016, PHP 5.6.19 From a23ae0f436b1c11fcd600f6d18a56b150aa339b5 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:15:30 +0300 Subject: [PATCH 3/8] Add CVE IDs PHP 5.6.18 --- NEWS | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 799ac79547d..81a9afd2fc7 100644 --- a/NEWS +++ b/NEWS @@ -182,15 +182,19 @@ PHP NEWS on the same server). (Anatol) - PCRE: - . Upgraded bundled PCRE library to 8.38. + . Upgraded bundled PCRE library to 8.38. (CVE-2015-8383, CVE-2015-8386, + CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, + CVE-2015-8394) - Phar: - . Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (Stas) + . Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (CVE-2016-4342) + (Stas) . Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343) (Stas) . Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()). (Stas) - . Fixed bug #71488 (Stack overflow when decompressing tar archives). (Stas) + . Fixed bug #71488 (Stack overflow when decompressing tar archives). + (CVE-2016-2554) (Stas) - Session: . Fixed bug #69111 (Crash in SessionHandler::read()). (Anatol) From 34fc0ec3774dd6388f0899f56325794b61e32a9e Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:16:27 +0300 Subject: [PATCH 4/8] Add CVE to bug #70976 (PHP 5.6.17) --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 81a9afd2fc7..667ca986b0e 100644 --- a/NEWS +++ b/NEWS @@ -227,7 +227,7 @@ PHP NEWS - GD: . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index - Out of Bounds). (emmanuel dot law at gmail dot com) + Out of Bounds). (CVE-2016-1903) (emmanuel dot law at gmail dot com) - Mysqlnd: . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction). From 91fd5406bc875ae238e12215046473bd4f8c4ec7 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:17:34 +0300 Subject: [PATCH 5/8] Add CVE IDs PHP 5.6.14 --- NEWS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 667ca986b0e..d8fd5cb46c7 100644 --- a/NEWS +++ b/NEWS @@ -340,9 +340,10 @@ PHP NEWS . Fixed bug #70389 (PDO constructor changes unrelated variables). (Laruence) - Phar: - . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (Stas) + . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). + (CVE-2015-7803) (Stas) . FIxed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip - entry filename is "/"). (Stas) + entry filename is "/"). (CVE-2015-7804) (Stas) - Phpdbg: . Fix phpdbg_break_next() sometimes not breaking. (Bob) From 26f8ee48d6476b884bc63186051929cb1af28c78 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:19:46 +0300 Subject: [PATCH 6/8] Add CVE IDs PHP 5.6.13 --- NEWS | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index d8fd5cb46c7..53a43faabcf 100644 --- a/NEWS +++ b/NEWS @@ -365,9 +365,10 @@ PHP NEWS . Fixed bug #69487 (SAPI may truncate POST data). (cmb) . Fixed bug #70198 (Checking liveness does not work as expected). (Shafreeck Sea, Anatol Belski) - . Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (Stas) + . Fixed bug #70172 (Use After Free Vulnerability in unserialize()). + (CVE-2015-6834) (Stas) . Fixed bug #70219 (Use after free vulnerability in session deserializer). - (taoguangchen at icloud dot com) + (CVE-2015-6835) (taoguangchen at icloud dot com) - CLI server: . Fixed bug #66606 (Sets HTTP_CONTENT_TYPE but not CONTENT_TYPE). @@ -407,16 +408,16 @@ PHP NEWS - SOAP: . Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). - (Stas) + (CVE-2015-6836) (Stas) - SPL: . Fixed bug #70290 (Null pointer deref (segfault) in spl_autoload via ob_start). (hugh at allthethings dot co dot nz) . Fixed bug #70303 (Incorrect constructor reflection for ArrayObject). (cmb) . Fixed bug #70365 (Use-after-free vulnerability in unserialize() with - SplObjectStorage). (taoguangchen at icloud dot com) + SplObjectStorage). (CVE-2015-6834) (taoguangchen at icloud dot com) . Fixed bug #70366 (Use-after-free vulnerability in unserialize() with - SplDoublyLinkedList). (taoguangchen at icloud dot com) + SplDoublyLinkedList). (CVE-2015-6834) (taoguangchen at icloud dot com) - Standard: . Fixed bug #70052 (getimagesize() fails for very large and very small WBMP). @@ -425,11 +426,12 @@ PHP NEWS INI_SCANNER_TYPED). (Tjerk) - XSLT: - . Fixed bug #69782 (NULL pointer dereference). (Stas) + . Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838) + (Stas) - ZIP: . Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when - creating directories). (neal at fb dot com) + creating directories). (CVE-2014-9767) (neal at fb dot com) 06 Aug 2015, PHP 5.6.12 From eeea33db686941a3ec045137bf66630c5cb9ec12 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:21:35 +0300 Subject: [PATCH 7/8] Add CVE IDs PHP 5.6.12 --- NEWS | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 53a43faabcf..2df96279fe6 100644 --- a/NEWS +++ b/NEWS @@ -471,12 +471,12 @@ PHP NEWS . Fixed bug #69882 (OpenSSL error "key values mismatch" after openssl_pkcs12_read with extra cert). (Tomasz Sawicki) . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically - secure). (Stas) + secure). (CVE-2015-8867) (Stas) - Phar: . Improved fix for bug #69441. (Anatol Belski) . Fixed bug #70019 (Files extracted from archive may be placed outside of - destination directory). (Anatol Belski) + destination directory). (CVE-2015-6833) (Anatol Belski) - SOAP: . Fixed bug #70081 (SoapClient info leak / null pointer dereference via @@ -484,13 +484,13 @@ PHP NEWS - SPL: . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject - items). (sean.heelan) + items). (CVE-2015-6832) (sean.heelan) . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with - SPLArrayObject). (taoguangchen at icloud dot com) + SPLArrayObject). (CVE-2015-6831) (taoguangchen at icloud dot com) . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with - SplObjectStorage). (taoguangchen at icloud dot com) + SplObjectStorage). (CVE-2015-6831) (taoguangchen at icloud dot com) . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with - SplDoublyLinkedList). (taoguangchen at icloud dot com) + SplDoublyLinkedList). (CVE-2015-6831) (taoguangchen at icloud dot com) - Standard: . Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes). (cmb) From 76a5117da7dd8100743dfa43f9508e93ae0ac7e8 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Fri, 29 Apr 2016 13:23:41 +0300 Subject: [PATCH 8/8] Add CVE to bug #69719 (PHP 5.6.10) --- NEWS | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 2df96279fe6..12dfcf4dd88 100644 --- a/NEWS +++ b/NEWS @@ -577,7 +577,8 @@ PHP NEWS on Windows. (Jorge Oliveira, Anatol) . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). (CVE-2015-4642) (Anatol Belski) - . Fixed bug #69719 (Incorrect handling of paths with NULs). (Stas) + . Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598) + (Stas) - FTP . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in